How to properly configure antispoofing

Antispoofing is built into VIPRE Email Security for Exchange as a method of detecting spammers who spoof the senders email address to be one from your domain.

When Antispoofing is disabled, VIPRE Email Security for Exchange looks at the address passed to the "MAIL FROM:" command during the SMTP transaction. If this address is associated with an account in Active Directory, then the message will be marked as being internal. Internal messages are not scanned by the Antispam plugin.

When Antispoofing is enabled, there is a series of events that occur. If the address being sent in the "MAIL FROM:" command is associated with an account in Active Directory, VIPRE Email Security for Exchange checks to see if our Antispoofing header has been added (read on for more information on that). If the header is not present, then the IP address of the SMTP connection is compared against the list of trusted IP's.

Only if the IP of the connection matches one in the list at this point will the message be considered internal. If the IP is not in the list, the Antispoofing header is added and the message is not considered internal. If the header was already present, the message is also not considered internal. The exact syntax of this header is:

X-Ninja-AntiSpoofing: spoofed

For a front-end/back-end server environment, Antispoofing would need to be enabled on the front-end servers, as well as the back-end. This is because when inbound external messages are passed to the back-end server by the front-end server, that back-end server is going to see the font-end server's IP address on the SMTP connection and will check that if IP is trusted, assuming the front-end server didn't already add the Antispoofing header.

Antispoofing Setup

VIPRE Email Security Antispoofing prevents spoofed messages from being marked as internal and then bypassing the Antispam plug-in. The fact that an X-Ninja-Antispam: header is present tells us that either the message was external or was flagged as spoofed. The reason a spoofed message would make it to the inbox is because this email address is either in the users allowed senders or contact list. One way to prevent this would be to remove that email address from the offending list. The second way is to enable Antispoofing.

Warning:VIPRE Email Security does not consider all email addresses from your email domain as internal. Only addresses that belong to an exchange mailbox in active directory are considered internal. If you have a printer or similar device that send notification emails from a non AD address, a Global allowed senders rule should be configured for this address to prevent the following rule from catching emails from it.

Enable Antispoofing:

Open the VIPRE Email Security Management Console

Navigate to Settings > Domains > Antispoofing

Check Enable Antispoofing

Add the IP address of all mail sending devices to this list

If you have an 2007/2010 Edge Role Server, do not add it's IP to the list

If you are running Exchange 2000/2003 front-end/back-end setup, do not add the front-end server